Interaction between YubiKey plugin in 2.5.4 and Input Monitoring permission on macOS 10.15.2

[MatthiasValvekens]

I've hit a fairly bizarre issue since upgrading to KeePassXC 2.5.4 on my machine running macOS 10.15.2 (not 10.15.4!). My YubiKey 4 would not show up in the "Hardware Key" dropdown on the unlock screen, and clicking Refresh didn't seem to do anything. This seems to be related to the availability of the Input Monitoring permission (see below). Replugging or rebooting the machine did not resolve my problem, but I found a somewhat arcane workaround (also explained below).

I'm not sure if my issue is related to #4575 (it sure looks similar), but in my case rebooting didn't solve the problem. My OS version is also not the same (I'm on 10.15.2).

Expected Behavior

YubiKey should listed in the hardware dropdown list on the unlock screen. If necessary, a permission pop-up should appear.

Current Behavior

YubiKey does not show up in the list unless KeePassXC has the input monitoring privilege. I found this out by launching the application through the Terminal app and toggling the Input Monitoring privilege for Terminal.app on and off. The part that makes this a little tough to deal with is that, if the privilege is not already available, the YubiKey plugin apparently doesn't trigger the usual permission pop-up to request permission. Hence, I couldn't go into System Preferences to turn it on by hand.

There are two workarounds. One involves launching KeePassXC through the terminal with input monitoring enabled, which seems to work alright, but it's somewhat cumbersome (especially since I wanted to avoid having to give Terminal.app the input monitoring privilege in the first place).

Using the steps below, I (miraculously) managed to make the problem go away permanently, but I admit that I don't quite understand why this method worked.

1. Launch KeePassXC through Terminal, where input monitoring is enabled on Terminal.app.
2. Create a new database with one entry
3. Attempt to trigger Auto-Type
4. This will spawn a couple permission pop-ups for Terminal.app (including input monitoring / accessibility), in addition to an input monitoring popup for KeePassXC.
5. Enable Input Monitoring for KeePassXC in System Preferences
6. Launching KeePassXC from the dock now works as expected.

EDIT: I suppose that manually adding KeePassXC to the list of apps with input monitoring permission in System Preferences would also have worked, d'oh.

Steps to Reproduce

1. Plug in YubiKey
2. Launch KeePassXC without the Input Monitoring privilege
3. Attempt to refresh the hardware key drop-down menu
4. List stays empty, no permission pop-up is generated

Context

Not being able to open a password database is obviously an issue, but there's a workaround, so in the end it's more of a minor annoyance.

Debug Info

KeePassXC - Version 2.5.4
Revision: dcca5aa

Qt 5.14.1
Debugging mode is disabled.

Operating system: macOS 10.15
CPU architecture: x86_64
Kernel: darwin 19.2.0

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare (signed and unsigned sharing)
• YubiKey
• TouchID

Cryptographic libraries:
libgcrypt 1.8.5

[droidmonkey]

There is nothing we can do, Apple did not expose the input monitoring permissions in their API. See also #3329

[MatthiasValvekens]

There is nothing we can do, Apple did not expose the input monitoring permissions in their API.

Aha, fair enough then. Thanks a lot for the quick reply!